Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Managing the SSL Certificate for the Production Career Site

Objectives

After completing this lesson, you will be able to:

Generate a certificate signing request file with the customer's IT security team
Direct the customer to procure the certificate from a certificate authority
Provide the CNAME to the customer
Configure reminders for certificate renewals

SSL Certificate Signing Request Generation

This video provides an introduction to the process of transitioning from Stage to Production.

Career Site Builder (CSB) has a feature that allows organizations to manage their SSL certificates for their public career site. To access from CSB, select Tools → SSL Certificates.

To manage your SSL certificates for your public career site from CSB, select Tools – SSL Certificates.

This video provides important information on the process of moving the career site to Production.

SSL Certificate Overview

Implementation partners use the SSL Certificates page to obtain and install the original SSL certificate for the customer’s CSB career site. Customers or partners use the tool to renew SSL certificates.

The purpose of setting up SSL is to encrypt personal data being passed between the Career Site Builder site and the SAP SuccessFactors Recruiting applicant tracking system (ATS) when a candidate applies to a job. The SSL also serves as authentication, proving that the site belongs to that company.

SSL is only enabled for the production environment. Stage SSL is a low level of security settings applied to the entire environment. SAP may enable it, but most users see a certificate error during User Acceptance Testing (UAT) as a result. This is not a defect.

Timing

The implementation consultant, working with the customer, must begin the process as soon as the site is moved to production.

Hint

Recommend that your customer’s IT security team decide on the values for the certificate signing request (CSR) fields before moving the site to production, so you’re ready to start the process immediately. Schedule a call with the customer’s technical contact who will be renewing the SSL certificate in the future and complete the CSR together.

It takes a minimal amount of time to generate the CSR, submit the certificate, and install it. But, it may take one to two weeks to obtain the certificate, depending on the certificate authority. Renewals are typically handled faster.

Permissions

Access to Career Site Builder requires the Manage Career Site Builder permission from Admin Center.

If Career Site Builder's role-based permissions are enabled, set the SSL Certificates permission from CSB by selecting Users → Roles for any users who should have access. Customers may want to create a role that can only access SSL certificates, not other parts of Career Site Builder. The role would allow other individuals in the organization, such as the IT security team, to manage SSL certificates.

Select the SSL Certificates permissions checkbox for specific user roles.

General SSL Certificate Process

There are two options that system admin users can choose to start the certificate renewal process.

The recommended process is Option 1: To obtain and install your SSL (typical).
Option 2: Allows you to upload a new SSL certificate based on an existing CSR.

SSL Certificates page is displayed with two options. Option 1: To obtain and install your SSL (typical) option is highlighted.

Manage SSL Certificates

Complete the recommended SSL certificate process:

Steps

Generate a certificate signing request (CSR) file.
The customer procures the certificate from a certificate authority.
Once the SSL certificate is received, submit the certificate along with the intermediate certificate.
Install the SSL certificate.
Provide the CNAME to the customer.

SSL Certificate Signing Request

Fields on the SSL Certificate Signing Request

The customer’s IT security team can use the following information to populate the fields on the SSL certificate signing request:

Common Name (CN): The fully qualified domain name of the hostname using lowercase letters (a-z), uppercase letters (A-Z), digits (0-9), periods (.), and hyphens ( - ). 64-character limit. Don't use wildcard characters (such as an * asterisk), commas, port numbers, path names, or protocol as part of the name (such as http:// or https://). Subdomains must start with an uppercase or lowercase letter. Example: jobs.sap.com.
Organization (O): The legal name of the organization. Don't abbreviate or use any of these symbols: ! @ # $ % ^ * ( ) ~ ? > < / \
Organizational Unit (OU): The department or division name.
Certificate Manager Email Address: The email address of the person in the organization who is responsible for managing SSL certificates. This individual may or may not be the same as the contact person.
City/Locality (L): The city or locality of the organization. Don't abbreviate the City/Locality. For example, use Saint Louis and not St. Louis.
State/Province (ST): For U.S. and Canadian organizations, enter the state or province. Don't abbreviate. U.S. organizations should specify the state they operate from, even if they're incorporated in another state.
Country/Region (C): This field contains the 2-character ISO format country/region code. For example, use GB for Great Britain, and US for the United States. Refer to the following for a complete list: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
Subject Alternative Name (SAN): The Common Name (CN), and any additional hostnames covered by the certificate, separated by commas. 64-character limit. Don't use wildcards, port numbers, path names, or protocol as part of the name (such as http:// or https://). Subdomains must start with an uppercase or lowercase letter.

SSL Certificate Procurement by the Customer

The customer procures the certificate from a certificate authority. They need to provide you with a certificate bundle, which includes the root and intermediate certificates.

SSL Certificate Installation

After the SSL certificate is received, submit the certificate along with the intermediate certificate. Then install the SSL certificate.

CSR Details and Certificate Audit History

Select the number in the Reference ID ID column to view CSR Details and the Certificate Audit History.

On the SSL Certificates page, the Reference ID column is highlighted. Select a reference ID.

On the Certificate Information page, select the CSR Details and Certificate Audit History tabs for more information.

CNAME Provided to the Customer

Implementation partners have one final mandatory step so that the career site is accessible over the Internet: Have your customer add a CNAME entry on their corporate domain server so their domain points to <Site_ID>.jobs2web.com.

CNAME directs the browser to the IP address on the customer's domain where the SSL certificate is hosted. Candidates are provided with a seamless experience. When accessing SAP's career site, for example, it appears to candidates that they're still on sap.com.

For example, the common name for SAP's career site is broken down here.

The common name (CNAME) for SAP's career site is jobs.sap.com. Details are explained below.

The common name (CN) on the CSR is jobs.sap.com.

sap is the domain
jobs is the subdomain
com is the suffix

SAP’s corporate domain server controls everything at sap.com unless there's a CNAME redirect. And there is a CNAME entry on the SAP server for the subdomain jobs.sap.com, which redirects to <Site_ID>.jobs2web.com.

After installing the customer's SSL certificate, the following information must be completed:

Implementation consultant: Provide the entire CNAME entry to your customer. For our SAP example, you would provide: jobs.sap.com → <Site_ID>.jobs2web.com.
- <Site_ID> refers to Site ID value at CSB → Settings → Site Configuration → Site Information. It is always expressed in digits, such as 12340.
Customer: Add the CNAME entry to the corporate domain server.

SSL Certificate Renewals

SSL certificate-issuing authorities have set the duration of an SSL certificate to 398 days. An expired SSL certificate means that visitors to the career site see a security warning and are blocked from accessing the site. For this reason, you never want to let the SSL certificate expire.

To view the expiration date for an existing SSL certificate, open the public career site and choose the padlock icon to the left of the URL. Follow the prompts.

To view an SSL certificate's expiration date, open the public career site, click the padlock icon next to the URL, select the arrow next to Connection is secure, and then click the button next to Certificate is valid. Check the validity dates in the Certificate dialog box.

SSL Certificates Reminders

Career Site Builder offers the following reminder methods about renewing SSL certificates:

The ability to enable email reminders for admin users
A pop-up dialog that appears when logging in to Career Site Builder

Email Reminders

Email reminders are triggered at 90 days, 60 days, 30 days, and 7 days before the certificate expires. Emails are sent to users who have Enable SSL Notification selected from Users → Roles → Admin Users.

On the Edit Admin User page, turn the Enable SSL Notification toggle on.

To help administrators identify the specific Recruiting career site certificate that is set to expire, the email reminders include the following information: RCM Company ID, Career Site Builder Site ID, Site Name, Career Site URL.

Pop-up Banner Reminders

A pop-up banner is shown to all users with access to the Site Configuration menu in CSB when the certificate is going to expire in less than 90 days. For this reason, add users who are responsible for the SSL certificate to Recruiter SSO. See Units 5 and 10 for details about settings CSB permissions.

On the Permission Pop-up Banner, select the Site Configuration checkbox.

If the user selects Acknowledge, the banner will not display next time they log in.
If the user selects Ignore, they will be reminded again the next time they log in.

Additional Information about SSL Certificates

Customers can have multiple certificates installed and in use. When there is more than one certificate issued to the same domain (for example, test01.sap.corp), the last one installed is active.

Remember that Career Site Builder (CSB) only supports two domains to access the site, defined from Career Site Builder → Settings → Site Configuration → Site Information:

Site URL
Use Redirect

See additional information about SSL certificates in the Recruiting guide, including tips to complete the CSR fields. Navigate to the page, SSL Certificates Settings in Career Site Builder Tools.

Wildcard Certificates: Not Recommended

There are different types of SSL certificates.

The leading practice is to use Option 1 to generate a CSR for a subdomain SSL certificate for your customer’s career site. Option 1 may not be used to generate a CSR for a wildcard certificate. Wildcard certificates are supported, but are not the leading practice as it involves the risk of compromising the required private key for SSL installation. When following the recommended process (Option 1), SAP has the private key, so there is no issue with compromising the private key in transit.

If the customer desires the use of an existing wildcard certificate, use Option 2 to upload it, along with the private key. Wildcards became popular for fluid websites that are not permanent. For a permanent, known domain, customers should have a proper registered SSL certificate instead of a wildcard certificate. For more information, see SAP Knowledge Base Article(KBA) 2809025 - SSL installation using wildcard certificates - Recruiting Marketing (2809025 - SSL installation using wildcard certificates - Recruiting Marketing).

Knowledge Base Articles: SSL Certificates

A number of Knowledge Base articles have been written with important information about SSL certificates, including the following:

3109381 – Overview About SSL Certificates tab in CSB: Describes the renewal process, lists error messages, and more. (https://launchpad.support.sap.com/#/notes/3109381)
2565122 – FAQ on SSL Certificates for RMK Career Sites: Lists the accepted certificate formats, when a new certificate is required, and more. (https://launchpad.support.sap.com/#/notes/2565122)
2231401 – Updated SSL Certificate Renewal process - Recruiting Marketing: Provides explicit steps for implementation consultants, (https://launchpad.support.sap.com/#/notes/2231401)
2563741 – Unable to Access the Production RMK Career Site - Recruiting Marketing: Explains why a production CSB Career Site might not be accessible to users on the Internet or within the customer environment, usually because the DNS isn't mapped to an IP address on the Internet. (https://launchpad.support.sap.com/#/notes/2563741)

Log in to track your progress & complete quizzes